Tipping point of trust in mobile payments

Finally mobile payment is starting to take off. Yet, for it to become a true success story, establishing trust is paramount. The question is, is software security the hero or villain of this story?

How safe is it?
Security and fraud prevention concerns are key drivers in the slow uptake of mobile payments. Can someone else use my smart phone to make purchases?
Identity verification and device based authentication are the cornerstones for any mobile payment transaction. Put simply, is it you and are the security assets for the point of sale (POS) secured within the device. This can be achieved using either hardware or software.

In January, Apple CEO Tim Cook told the Financial Times that Apple Pay now counts for two of every three dollars spent via contactless payments on the US’s three largest card networks. And Apple, being Apple, chose hardware – using an on-device secure element (SE) to hold the data, run the cryptographic processes, and generate the necessary tokens – to protect the mobile payment transactions. They and others in the industry believe that hardware provides better security.

Is software really the soft option?
From a software perspective, you can use host card emulation (HCE). Instead of storing the data on the SE, tokens are downloaded to the device. For some this feels less secure. Data is stored in the cloud. It’s more vulnerable to attack – right?

This debate about hardware versus software is nothing new. We’ve experienced it in the media industry for content protection: smart cards or conditional access software. And our customers know that our security software is just as secure. In fact, with software there are additional advantages in terms of the speed and simplicity of deployment, which are just not possible with hardware. Should the hackers breach the iPhone6, replacing the physical SE will be more difficult. Unlike software where there’s an easy, fast and responsive mechanism to push out security updates. Not to mention it being more cost-effective. Sounds like the hero to me.

Only part of the story
It’s important to remember that banks and credit card companies require much more security and encryption for mobile payment transactions than what is on the device alone. They demand comprehensive credentials management. Yes, they can put a security app onto your device but the tokens and keys need to be managed and secured. It’s an end-to-end process in a complex environment. For the Trusted Service Manager it’s about providing more than just technology. It’s a security service: being able to track, monitor, trace and manage the diverse credentials in real-time. It’s only with end-to-end credentials management that you will earn the consumers trust.

And with mobile payments boosting the roll out of NFC enabled devices, the NFC tags capability will lead to more data and devices needing to be secured and managed. But more on NFC and the Internet of Things another time.